ISMS+GAWS(ISO 27001差距分析表)

27001 Page 1 27001 Mandatory Requirements 4.2 Establish and Managing the ISMS 4.2.1 Establish the ISMS (PLAN) 4.2.1.a Define the scope and boundaries of the ISMS in terms of the characteristics of the business, the organization, its location, assets, technology, and including details of and justification for any exclusions from the scope 4.2.1.b Define an ISMS policy in terms of the characteristics of the business, the organization, its location, assets and technology 4.2.1.c. Define the risk assessment approach of the organization. 4.2.1.d Identify the risks 4.2.1.e Analyse and evaluate the risks 4.2.1.f Identify and evaluate options for the treatment of risks 4.2.1.g Select control objectives and controls for the treatment of risks 4.2.1.h Obtain management approval of the proposed residual risks 4.2.1.i Obtain management authorization to implement and operate the ISMS 4.2.1.j Prepare Statement Of Applicability 4.2.2 Implement and operate the ISMS (DO) 4.2.2.a Formulate a risk treatment plan that identifies the appropriate management action, resources, responsibilities and priorities for managing information security risks 4.2.2.b Implement the risk treatment plan in order to achieve the identified control objectives, which includes consideration of funding and allocation of roles and responsibilities. 4.2.2.c Implement controls selected in 4.2.1.g to meet the control objectives. 4.2.2.d Define how to measure the effectiveness of the selected controls or groups of controls and specify how these measurements are to be used to assess control effectiveness to produce comparable and reproducible results (see 4.2.3.c) 4.2.2.e Implement training and awareness programmes (see 5.2.2) 4.2.2.f Manage the operations of the ISMS 4.2.2.g Manage the resources of the ISMS (see 5.2) 4.2.2.h Implement procedures and other controls capable of enabling prompt detection of and response to security incidents (see 4.2.3) 4.2.3 Monitor and review the ISMS (CHECK) 4.2.3.a Execute monitoring and review procedures and other controls 4.3.2.b Undertake regular reviews of the effectiveness of the ISMS (including meeting ISMS policy and objectives, and review of security controls) taking into account results of security audits, incidents, effectiveness measurements, suggestions and feedback from all interested parties 4.2.3.c Measure the effectiveness of controls to verify that security requirements have been met 4.2.3.d Review risk assessments at planned intervals and review the level of residual risk and identified acceptable risk 4.2.3.e Conduct internal ISMS audits at planned intervals (see 6) 4.2.3.f Undertake a management review of the ISMS on a regular basis to ensure that the scope remains adequate and improvements in the ISMS process are identified (see 7.1) 4.2.3.g Update security plans to take into account the findings of monitoring and reviewing activities 4.2.3.h Record actions and events that could have an impact on the effectiveness or performance of the ISMS (see 4.3.3) 4.2.4 Maintain and improve the ISMS (ACT) 4.2.4.a Implement the identified improvements in the ISMS 4.2.4.b Take appropriate corrective and preventive actions in accordance with 8.2 and 8.3. Apply the lessons learnt from the security experiences of other organizations and those of the organization itself 4.2.4.c Communicate the actions and improvements to all interested parties with a level of detail appropriate to the circumstances and, as relevant, agree on how to proceed. 4.2.4.d Ensure that the improvements achieve their intended objectives. 4.3 Documentation requirements 4.3.1 General - The ISMS documentation shall include: 4.3.1.a documented statements of the ISMS policy (see 4.2.1.b) and objectives; 4.3.1.b the scope of the ISMS (see 4.2.1.a); 4.3.1.c procedures and controls in support of the ISMS; 4.3.1.d a description of the risk assessment methodology (see 4.2.1.c); 4.3.1.e the risk assessment report (see 4.2.1.c to 4.2.1.g); 4.3.1.f the risk treatment plan (see 4.2.2.b); 27001 Page 2 4.3.1.g documented procedures needed by the organization to ensure the effective planning, operation and control of its information security processes and describe how to measure the effectiveness of controls (see 4.2.3c); 4.3.1.h records required by this International Standard (see 4.3.3); and 4.3.1.i the Statement of Applicability. 4.3.2 Control of Documents - Documents required by the ISMS shall be protected and controlled. 4.3.2.a approve documents for adequacy prior to issue; 4.3.2.b review and update documents as necessary and re-approve documents; 4.3.2.c ensure that changes and the current revision status of documents are identified; 4.3.2.d ensure that relevant versions of applicable documents are available at points 4.3.2.e ensure that documents remain legible and readily identifiable; 4.3.2.f ensure that documents are available to those who need them, and are transferred, disposed of in accordance with the procedures applicable to their classification; 4.3.2.g ensure that documents of external origin are identified; 4.3.2.h ensure that the distribution of documents is controlled; 4.3.2.i prevent the unintended use of obsolete documents; and 4.3.2.j apply suitable identification to them if they are retained for any purpose. 4.3.3 Control of records - Records shall be established and maintained to provide evidence of conformity to requirements and the effective operation of the ISMS. They shall be protected and controlled. The ISMS shall take account of any relevant legal or regulatory requirements and contractual obligations. Records shall remain legible, readily identifiable and retrievable. The controls needed for the identification, storage, protection, retrieval, retention time and disposition of records shall be documented and implemented. Records shall be kept of the performance of the process as outlined in 4.2 and of all occurrences of significant security incidents related to the ISMS. 5. Management Responsibility 5.1 Management Commitment - Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: 5.1.a establishing an ISMS policy; 5.1.b ensuring that ISMS objectives and plans are established; 5.1.c establishing roles and responsibilities for information security; 5.1.d communicating to the organization the importance of meeting information security objectives and conforming to the information security policy, its responsibilities under the law and the need for continual improvement; 5.1.e providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS (see 5.2.1); 5.1.f deciding the criteria for accepting risks and for acceptable risk levels; 5.1.g ensuring that internal ISMS audits are conducted (see 6); and 5.1.h conducting management reviews of the ISMS (see 7). 5.2 Resource management 5.2.1 Provision of Resources - The organization shall determine and provide the resources needed to: 5.2.1.a establish, implement, operate, monitor, review, maintain and improve an ISMS; 5.2.1.b ensure that information security procedures support the business requirements; 5.2.1.c identify and address legal and regulatory requirements and contractual security obligations; 5.2.1.d maintain adequate security by correct application of all implemented controls; 5.2.1.e carry out reviews when necessary, and to react appropriately to the results of these reviews; and 5.2.1.f where required, improve the effectiveness of the ISMS. 5.2.2 Training Awareness and Competence - The organization shall also ensure that all relevant personnel are aware of the relevance and importance of their information security activities and how they contribute to the achievement of the ISMS objectives. The organization shall ensure that all personnel who are assigned responsibilities defined in the ISMS are competent to perform the required tasks by: 5.2.2.a determining the necessary competencies for personnel performing work effecting the ISMS; 5.2.2.b providing training or taking other actions (e.g. employing competent personnel) to satisfy these needs; 5.2.2.c evaluating the effectiveness of the actions taken; and 5.2.2.d maintaining records of education, training, skills, experience and qualifications (see 4.3.3). 6 Internal ISMS Audits The organization shall conduct internal ISMS audits at planned intervals to determine whether the control objectives, controls, processes and procedures of its ISMS : conform to the requirements of this International Standard and relevant legislation or regulations; conform to the identified information security requirements; are effectively implemented and maintained; and perform as expected An audit programme shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. 27001 Page 3 The audit criteria, scope, frequency and methods shall be defined. Selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditors shall not audit their own work. The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records (see 4.3.3) shall be defined in a documented procedure. The management responsible for the area being audited shall ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of verification results (see 8). 7 Management Review 7.1 General Management shall review the organizations ISMS at planned intervals (at least once a year) to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained (see 4.3.3). 7.2 Review Input - The input to a management review shall include: 7.2.a results of ISMS audits and reviews; 7.2.b feedback from interested parties; 7.2.c techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness; 7.2.d status of preventive and corrective actions; 7.2.e vulnerabilities or threats not adequately addressed in the previous risk assessment; 7.2.f results from effectiveness measurements; 7.2.g follow-up actions from previous management reviews; 7.2.h any changes that could affect the ISMS; and 7.2.i recommendations for improvement. 7.3 Review Output - The output from the management review shall include any decisions and actions related to the following : 7.3.a Improvement of the effectiveness of the ISMS. 7.3.b Update of the risk assessment and risk treatment plan. 7.3.c Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to: 7.3.c.1 business requirements; 7.3.c.2 security requirements; 7.3.c.3 business processes effecting the existing business requirements; 7.3.c.4 regulatory or legal requirements; 7.3.c.5 contractual obligations; and 7.3.c.6 levels of risk and/or risk acceptance criteria. 7.3.d Resource needs. 7.3.e Improvement to how the effectiveness of controls is being measured. 8 ISMS improvement 8.1 Continual Improvement - The organization shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review (see 7). 8.2 Corrective Action - The organization shall take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence. The documented procedure for corrective action shall define requirements for: 8.2.a identifying nonconformities; 8.2.b determining the causes of nonconformities; 8.2.c evaluating the need for actions to ensure that nonconformities do not recur; 8.2.d determining and implementing the corrective action needed; 8.2.e recording results of action taken (see 4.3.3; and 8.2.f reviewing of corrective action taken. 8.3 Preventive Action - The organization shall determine action to eliminate the cause of potential nonconformities with the ISMS requirements in order to prevent their occurrence. Preventive actions taken shall be appropriate to the impact of the potential problems. The documented procedure for preventive action shall define requirements for: 8.3.a identifying potential nonconformities and their causes; 8.3.b evaluating the need for action to prevent occurrence of nonconformities; 27001 Page 4 8.3.c determining and implementing preventive action needed; 8.3.d recording results of action taken (see 4.3.3; and 8.3.e reviewing of preventive action taken. The organization shall identify changed risks and identify preventive action requirements focusing attention on significantly changed risks. The priority of preventive actions shall be determined based on the results of the risk assessment. Yes No Check 27001 Page 5 Done ? N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N 27001 Page 6 N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N 27001 Page 7 N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N N 27001 Page 8 N N N N 112 27002 Page 9 17799 Domain instead there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach tomanagement is disorganised. Processes have developed to the stage where similar procedures are followed by different people undertaking